JP7074371B2 - Information management terminal device - Google Patents

Description

The present invention relates to acquisition, storage, and distribution of information to be processed for information processing such as data mining using AI (artificial intelligence) analysis. More specifically, it is involved in a series of processes such as information acquisition, storage, distribution, analysis, and visualization in devices and systems that handle human and physical health information.

In order to extract effective information from big data or the like with AI or the like, it is desirable that the data quality, acquisition means, and acquisition date must be accurately recorded. Furthermore, regarding information about people, strict recording and management is required for the management and distribution of personally identifiable data under the Personal Information Protection Law and the like.

For example, in Patent Document 1, in order to protect a legitimate user from a user who attempts to abuse the content, access to the content information stored in the hidden memory area, the visible memory area, and the content information stored in the hidden memory area. Described are portable memory devices that store information for each.

In Patent Document 2, in order to control the availability of content by a user by a method different from the conventional method, it is determined whether or not the user terminal has the right to use the content when playing or executing the content. However, if it is determined that the user does not have the right to use the content, the license information with the set expiration date is requested from the license management device, and the received license information is used to obtain the right to use the content until the expiration date. A content protection system that is determined to be present is described.

In Patent Document 3, in order to enhance security and functionality, the encryption / decryption key is stored in the media itself, making it difficult to access from an external device, and only the host device having the certificate can access the key. The storage device is listed.

Patent Document 4 describes a selector that connects a host controller and a circuit in a copyright protection chip in order to access encrypted contents stored in a storage device by using a host controller that accesses a memory card. When the access means accesses the encrypted content key stored in the storage device, the decryption key generation information, and the register storing the shared secret information, and the content obtained by decrypting the encrypted content stored in the hard disk. Described is a copyright protection chip comprising a communication circuit that communicates with the host controller and transmits the encrypted content key and the decryption key generation information stored in the register to the host controller.

In Patent Document 5, in order to provide appropriate protection according to the usage status of the content, the content usage terminal records usage history information such as duplication and modification when using the content received from the content providing terminal. It is sent to the content providing terminal at a predetermined time interval, the content providing terminal receives it, determines the protection level based on the usage history information and the preset usage conditions and protection pattern, and the corresponding protection processing. Describes a content protection system that delivers the protected content that has been used to the content user terminal.

Patent Document 6 describes a digital content protection device that embeds a digital watermark incorporating a user's identity in the digital content and provides it to the user in order to prevent illegal distribution of the digital content.

In Patent Document 7, in order to prevent unauthorized copying of the content on the terminal, the encrypted content is decrypted and reproduced using the content key included in the license acquired from the license server, and the user information included in the license is described. Described is a terminal device with a content protection function, which has a content reproduction means for inserting a digital watermark into the reproduced content.

Japanese Unexamined Patent Publication No. 2013-37715 Japanese Unexamined Patent Publication No. 2012-18662 Japanese Unexamined Patent Publication No. 2010-182332 Japanese Unexamined Patent Publication No. 2010-10824 Japanese Unexamined Patent Publication No. 2005-316863 Japanese Unexamined Patent Publication No. 2005-57769 Japanese Unexamined Patent Publication No. 2004-318448

As mentioned above, most of the conventional techniques are audio / video content for which the target of content protection is a license, and the living body / behavior / environment / device state generated by the person or object subject to IoT or big data.・ We did not anticipate various data such as equipment operation. In addition, most of the content protection technologies are based on the cloud and management servers, and it can be said that there is no technology from the viewpoint of personal information protection in which an individual judges the confidentiality of data. Furthermore, when data acquired by various sensors such as vital sign sensors is used as big data or AI analysis target, the reliability of the data is very important, but in most cases, the data acquired by the sensor is used for BLE (Bluetooth). (Registered trademark) Low Energy) or WiFi is generally used to send data to a terminal such as a smartphone, and then send it to the cloud as it is for processing, and no particular attention has been paid to falsification on the terminal. Processing software such as Android (registered trademark), which is often used for smartphones and tablet terminals, is relatively open, and security improvements such as fingerprint authentication have been progressing in recent years, but highly confidential personal health information is accumulated for a lifetime. At present, terminals such as smartphones running various application software are not always safe. Further, when personal health information or the like is stored in the terminal, it is left to the user to move the data when the terminal is replaced.

Therefore, it is an object of the present invention to provide a means for an individual or a corporation (called an information owner) who owns data to independently and securely manage information by using a device such as a smartphone, a PC, or a server. ..

In order to solve the above problems, the information management terminal device according to the present invention is
An information acquisition means for acquiring the first information to be managed, an information storage means for accumulating the first information and a second information which is additional information to the first information, and a storage medium. It is an information management terminal device that is provided.
The storage medium has a secret area that can be accessed only by a specific program including a program that operates the information management terminal device as the information storage means, and a normal area that can be accessed by programs other than the specific program.
The information acquisition means adds a date / time / time record as the second information.
The information storage means sequentially stores the first information or the link that can refer to the first information and the link that can refer to the second information or the second information in the normal region. And
The secret area is characterized by holding a data tampering detection parameter for detecting tampering with the first information and / or the second information.

As a result, information that can be detected when falsification is detected in the date or content can be compactly stored in the hand of the information owner who uses the terminal device, and information utilization led by the information owner can be realized.

In a preferred embodiment of the present invention, the data tampering detection parameter detects the presence or absence of tampering with respect to the first information and / or the second information by using the first information and / or the second information. It is characterized by being a key to generate information for the purpose of doing so.
In this way, by using the key to generate information for detecting the presence or absence of data tampering as the data tampering detection parameter, a large amount of data can be handled even when the data capacity that can be recorded in the concealed area is limited. Can be done.

In a preferred embodiment of the present invention, the concealed area includes a program tampering detection parameter for detecting tampering with the specific program.
It is characterized by comprising a program tampering detection means for performing tampering detection processing of the specific program using the program tampering detection parameter.
As a result, falsification of the program for acquiring and accumulating information can be prevented, and the reliability of the information can be dramatically improved.

In a preferred embodiment of the present invention, the program tampering detection means periodically performs tampering detection processing of the specific program.
When the falsification of the specific program is detected, the first information and the second information accumulated from the time when the previous falsification detection process of the specific program is executed to the time when the falsification of the program is detected. It is characterized by deleting or recovering.
As a result, information that may have been tampered with in the program can be deleted, and the reliability of the accumulated information can be ensured. The recovery of the health information and the health information passbook here can be realized by saving a backup of the health information and the health information passbook in another terminal device or server device in advance and acquiring the backup.

In a preferred embodiment of the present invention, the data tampering detecting means for performing the tampering detection processing of the first information and / or the second information using the data tampering detection parameter is provided.
When the data falsification detecting means detects falsification of the first information and / or the second information, the time when the previous falsification detection process of the first information and / or the second information is executed. It is characterized in that the first information and / or the second information accumulated up to the time when the falsification of the first information and / or the second information is detected is deleted or recovered.
As a result, it is possible to reliably delete or recover data that may be tampered with, and to reliably eliminate unreliable data.

In a preferred embodiment of the present invention, the information management terminal device further includes a distribution means for selecting and outputting distribution target information from the first information and the second information accumulated by the information storage means.
The distribution means includes a concealment level setting means for setting a concealment level of the selected distribution target information, and a means for adding the concealment level as additional information to the distribution target information and outputting the concealment level. ..
As a result, the accumulated information can be transmitted to other terminals and the like and actively utilized.

In a preferred embodiment of the invention, the concealment level is
Class 0, which transmits the distribution target information without encryption, and
Class 1 to be transmitted with the distribution target information encrypted, and
Class 2 that encrypts the distribution target information, prohibits duplication at the output destination, sets the expiration date of the distribution target information, and transmits the information.
Class 3 that encrypts the distribution target information, prohibits duplication at the output destination, restricts the handling of processing result information caused by arbitrary processing on the distribution target information, and sets an expiration date of the distribution target information for transmission. , Is included.
As a result, the confidentiality of the health information to be distributed can be ruled, and it becomes possible to generate distribution information for the information owner to control the conventional type of distribution to a general server and the management of health information at the distribution destination.

In a preferred embodiment of the present invention, the second information is a history of output by the distribution means, information for specifying an output destination by the distribution means, a confidentiality level, and a processing result at the output destination by the distribution means. It is characterized by containing at least one.
As a result, analysis, redistribution, erasure, etc. of received health information remain as a record, facilitating verification by the information owner of the distribution source, and dramatically improving the reliability of the system.

In a preferred embodiment of the present invention, the first information is information about the health of a person and / or a thing.
As a result, information that needs to be handled securely, such as the health condition of people and things, can be handled appropriately.

The information management terminal device according to another embodiment of the present invention is
The receiving means for receiving the first information distributed from the other terminal device and the second information which is additional information to the first information, the first information, and the analysis of the second information. An information management terminal device including an analysis means to be performed, an output means for transmitting and / or displaying an analysis result by the analysis means to the other terminal device, and a storage medium.
The storage media has a secret area accessible only by a specific program including a program that operates the information management terminal device as the receiving means, the analysis means, and the output means, and programs other than the specific program. With an accessible normal area,
The receiving means has a concealment level determining means for determining the concealment level given to the first information and the second information.
The analysis means and the output means handle the first information, the second information, and the analysis result according to the concealment level, and the concealment area detects tampering with the specific program. Including parameters
An information management terminal device comprising a program tampering detection means for detecting tampering with the specific program using the program tampering detection parameter.
As a result, it is possible to prevent falsification of the program and eliminate the risk that information contrary to the confidentiality level and its analysis result are handled.

In a preferred embodiment of the present invention, the analysis means accumulates the history information of the analysis or a link that can refer to the history information of the analysis in the normal region.
The secret area is characterized by holding a data falsification detection parameter for detecting falsification of the history information.
As a result, the analysis history information is accumulated in a state in which falsification can be detected, verification by the information owner of the distribution source becomes easy, and the reliability regarding the handling of information is dramatically improved.

In a preferred embodiment of the present invention, when the analysis means detects falsification of the history information of the analysis, the falsification of the history information of the analysis is detected from the time when the falsification detection process of the history information of the previous analysis is executed. It is characterized by deleting or recovering the history information of the analysis accumulated up to the time point.
As a result, it is possible to reliably delete or recover data that may be tampered with, and to reliably eliminate unreliable data.

In a preferred embodiment of the invention, the concealment level is
Class 0 that handles the first information and the second information without encryption, and
Class 1 that handles the first information and the second information in a encrypted state, and
Class 2 in which the first information and the second information are encrypted, duplication at the output destination is prohibited, and the expiration date of the first information and the second information is set and handled.
The first information and the second information are encrypted, and duplication at the output destination is prohibited, the handling of the analysis result is restricted, and the expiration date of the first information and the second information is set. It is characterized by including the class 3 handled by the user.
As a result, the confidentiality of information and its analysis results can be ruled, and it becomes possible to generate distribution information for the information owner to control the conventional type of distribution to a general server and the management of health information at the distribution destination.

In a preferred embodiment of the present invention, the receiving means receives the analysis result from another terminal device and receives the analysis result.
The analysis means is characterized in that the analysis result is reanalyzed.
As a result, various analyzes can be performed according to the confidentiality level, that is, according to the intention of the information owner, such as obtaining a more detailed analysis result from the analysis result or obtaining an analysis result from another viewpoint.

In a preferred embodiment of the present invention, the first information is information about the health of a person and / or a thing.
As a result, information that needs to be handled securely, such as the health condition of people and things, can be handled appropriately.

Health information that can be detected when the date or content is falsified can be stored compactly in the hands of the information owner who uses the terminal device, and information utilization led by the information owner can be realized.

It is a block diagram of the system which used the information management terminal apparatus which concerns on Embodiment 1 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 1 of this invention. It is a functional block diagram of the health information reception / analysis side device which concerns on Embodiment 1 of this invention. It is a flowchart which shows the program reading process in Embodiment 1 of this invention. It is a flowchart which shows the tampering detection processing of the program in Embodiment 1 of this invention. It is a flowchart which shows the health information acquisition processing in Embodiment 1 of this invention. It is a flowchart which shows the health information distribution processing in Embodiment 1 of this invention. It is a flowchart which shows the health / analysis information reception processing in Embodiment 1 of this invention. It is a flowchart which shows the health information analysis / analysis information reanalysis processing in Embodiment 1 of this invention. It is a flowchart which shows the data recording / reading processing in Embodiment 1 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 2 of this invention. It is a functional block diagram of the health information reception / analysis side device which concerns on Embodiment 2 of this invention. It is a flowchart which shows the program reading process in Embodiment 2 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 3 of this invention. It is a functional block diagram of the health information reception / analysis side device which concerns on Embodiment 3 of this invention. It is a flowchart which shows the data recording / reading processing in Embodiment 3 of this invention. It is a flowchart which shows the tampering detection processing of the program in Embodiment 3 of this invention. It is a sequence diagram which shows an example of the flow of exchanging data between devices in Embodiment 3 of this invention.

(Embodiment 1)
<Overall configuration of the system using the information management terminal device>
Hereinafter, Embodiment 1 of the present invention will be described in detail with reference to the drawings. FIG. 1 is a configuration diagram of a system using the information management terminal device according to the present embodiment. As shown here, the information management terminal device according to the present invention includes a health information distribution side device 1 that acquires and distributes information from a sensor, and a health information reception / analysis side device that receives and analyzes information. 2a to 2c (hereinafter, generally referred to as health information receiving / analyzing side device 2 when it is not necessary to distinguish them) are configured to be communicable directly or via the network NW. Further, the health information distribution side device 1 is not an information management terminal device according to the present embodiment, but is a general computer or a terminal device 3a, 3b (hereinafter, a terminal as a whole when it is not necessary to distinguish between them). Also referred to as device 3), it is configured to be able to communicate directly or via the network NW. The health information distribution side device 1 includes various sensors such as a sensor 4a attached to an infant, a sensor 4b attached to an elderly person, a sensor 4c attached to a manufacturing apparatus, and a sensor 4d attached to an automobile (hereinafter referred to as a sensor 4d). , When it is not necessary to distinguish between them, it is generally referred to as a sensor 4) and can be communicated wirelessly or by wire. Further, the health information distribution side device 1 and the health information reception / analysis side device 2 also communicate with the management server device 5 that stores information about the programs operating on those devices and information about the sensor 4 via the network NW. Possible to be configured.

The health information in the present invention is a general term for information generated or involved by people or things. For example, as information related to human health, biological information (electrocardiogram, pulse wave, heartbeat, pulse, body temperature, etc.), behavior information (sleep, meal, excretion, GPS position, purchase, medication, medical history, etc.), environmental information ( Information generated by things such as temperature, humidity, pressure, air pollution, pollen, etc., that is, information related to the health of things, such as device status information (abnormal noise, temperature, vibration, etc.), device operation information (handle / accelerator) -Operation information such as brakes, abnormal noise information such as non-destructive tests, operating time, GPS position, operator, etc.), environmental information of equipment (almost the same as humans), etc. can be mentioned. In addition, devices that handle devices such as the health information distribution side device 1, the health information reception / analysis side device 2, and the terminal device 3 are generally referred to as users, but in particular, the health information distribution side device 1 is used to obtain health information. A user who performs distribution is called an information owner.

Further, the configuration may be such that not only the health information of people and things as described above but also various information can be handled. For example, regarding documents such as drawings attached to contracts, various information that requires guarantee of legitimacy and detection of falsification, such as storage and distribution in a state where the validity can be guaranteed. Management can be performed using the information management terminal device according to the present invention.

Since the basis of the present invention is one-to-one communication between the health information distribution side device 1 and the health information reception / analysis side device 2 or the terminal device 3 by Peer to Peer (P2P), a specific cloud server or the like can be used. do not need. Of course, connection with a cloud server is also possible as an extension of P2P communication.

In the present embodiment, the recording medium with enhanced security is used as the distribution side media 11 in combination with a widely used smartphone, tablet, PC or the like (referred to as a device), and the health information distribution side device 1 is similarly used. In addition, the health information reception / analysis side device 2 is realized by the reception / analysis side media 21 and the device, respectively. As the recording medium, for example, an SD card of the SeeQVault (registered trademark) standard can be used. In the recording medium, a secret area and a normal public area are defined by a processor built in the recording medium. Among them, the secret area can be accessed only by the specific authentication software operating on the device by using the public key generated from the secret key stored in the secret area of the recording medium. In other words, there are media with a secret area that can only be accessed by specific authentication software, which is invisible to general file systems such as those provided by the OS (Operating System, basic software) installed in the device. Become. As long as it is a recording medium of a standard having a similar mechanism, it is not limited to the SD card of the SeeQVault standard, and other recording media may be used.

<Health information distribution side device configuration>
FIG. 2 shows a functional block diagram of the health information distribution side device 1. As shown here, the health information distribution side device 1 includes a distribution side media 11, an encoder 12 that acquires health information from the sensor 4 and records it on the distribution side media 11, and receives / analyzes health information of health information. It includes a distribution unit 13 that transmits to the side device 2 and the terminal device 3, and an individual / qualification information authentication means 14 that authenticates when acquiring and distributing health information.

The distribution-side media 11 has a concealed area 111 and a normal area 112. As described above, the secret area 111 is an area that can be accessed only by the specific authentication software operating on the device by using the public key generated from the secret key stored in the secret area of the recording medium. Further, as will be described later, the secret area 111 can be accessed only when mutual authentication between the device and the media is established between the device authentication means 1111 and the media authentication means 121 and 131. The normal area 112 is not a general file system provided by the OS of the device, but the media file system control information 1112 held by the secret area 111 (such as a pointer for realizing sequential writing to the media). It is managed by a private media file system linked with information).

The secret area 111 is a device authentication means 1111 that performs mutual authentication between the distribution side media 11 and the health information distribution side device 1, the media file system control information 1112 described above, and reading / writing data to / from the normal area 112. The data encryption key 1113, which is the key for encryption / decryption, the program file and health information passbook on the health information distribution side device 1, and the hash value used to detect unauthorized falsification of health information, etc. The tampering detection parameter 1114 and the like are included.

The normal area 112 receives the health information from the sensor 4, stores the received health information, and distributes the stored health information to the health information receiving / analyzing side device 2 and the terminal device 3. The distribution program file 1122 to be performed, the health information passbook 1123 which is a record of the distribution of health information, and the accumulation of health information 1124 received from the sensor 4 are included.

Here, in the health information passbook 1123, as the attributes of the health information acquired from the sensor 4, the sensor identifier possessed by each sensor 4, the acquisition date and time and type of the health information, the size, and the data tampering detection parameter (for example, the hash of the health information) Value) etc. are recorded sequentially with overwrite prohibition. Further, when the health information is output from the health information distribution side device 1 to the health information reception / analysis side device 2 or the terminal device 3, the output history, the output destination, the confidentiality level set at the time of output, and the output destination are used. Includes information such as returned analysis results.

The information included in the secret area 111, the encoder program file 1121 and the distribution program file 1122 included in the normal area 112 are recorded on the distribution side media 11 at the time of initial setting of the distribution side media 11 or by a reliable distribution method. Is to be done.

The encoder 12 includes a media authentication means 121 for mutual authentication between the device and the media with the device authentication means 1111, a media file system 122 for accessing the normal area 112, and health information from the sensor 4. It has a health information passbook 1123 that acquires and stores health information passbook 1123, health information 1124, an encoder program 124, and a tampering detection means 123 that detects tampering with the encoder program 124.

In the encoder program 124, the device 1 on the health information distribution side reads and executes the encoder program file 1121 from the normal area 112, and acquires health information from the sensor authentication means 1241 that authenticates the sensor 4 and the sensor 4. It includes a health information acquisition means 1242 and a health information storage means 1243 that stores health information in health information 1124 and additional information of health information in health information passbook 1123.

Similar to the media authentication means 121, the distribution unit 13 has a media authentication means 131 for mutual authentication between devices and media, a media file system 132 for accessing the normal area 112, a health information passbook 1123, and health information 1124. The distribution program 134 that distributes the information, the health information passbook 1123 and the health information 1124, the tampering detection means 133 that detects the tampering of the distribution program 134, the distribution destination of the health information and the health information passbook from the information owner, and the time of distribution. It has an information distribution destination / concealment level designation input receiving means 135 that accepts the designation of the concealment level to be set in, and a tampering detection parameter concealment distribution means 136 that conceals and distributes the tampering detection parameter 1114.

In the distribution program 134, the health information distribution side device 1 reads the distribution program file 1122 from the normal area 112 and executes it. The health information passbook 1123 and the health information 1124 are containerized to generate a health information container to be distributed. It includes a health information container generation means 1341 and a health information container distribution means 1342 that distributes the health information container to the health information receiving / analyzing side device 2 and the terminal device 3.

Falsification detection parameter concealment delivery means 136 distributes health information to other health information receiving / analysis side devices 2 and the like, and then, in order to verify the presence or absence of falsification, the falsification detection parameter (falsification detection parameter) of the delivered health information ( Hash value, etc.) is provided in a concealed state.

In this embodiment, the concealment level for receiving the designation from the information owner by the information distribution destination / concealment level designation input receiving means 135 is as shown in Table 1. This confidentiality level is specified by the information owner in principle for the health information container to be distributed, and is treated as additional information when recording or distributing health information. As shown in Table 1, in class 0, which has the lowest confidentiality level, health information that is difficult to tamper with, including the date of health information, remains only as evidence in the hands of the information owner, and the delivered information is treated as the other party. Dependent. In this case, it is possible to send information to a general terminal device (conventional cloud service or the like) as shown as terminal devices 3a and 3b in FIG. In order to achieve a confidentiality level of class 1 or higher, a secure storage medium is also required on the analysis side that receives the information container. By installing reception / analysis software that is difficult to tamper with, this media makes it difficult to distribute to the receiving container without permission. In addition, the history of redelivery etc. is written and recorded in the health information passbook of the receiving side and the information owner side. Specifically, in the case of class 1 designation, it is necessary to decrypt the received health information. The key for this decryption needs to be stored in the secret area on the receiving side in advance. In class 2, the information owner can further specify controls such as redelivery hyphae, expiration date, and erasure of received health information. In class 3, the same specification is possible for the analysis result.

Further, in the present embodiment, the encoder 12 and the distribution unit 13 have a media authentication means 121, a media authentication means 131, a media file system 122, a media file system 132, a tampering detection means 123, and a tampering detection means 133, respectively. As shown, the configuration may be such that these functions are shared. However, in any case, the media authentication means 121, 131, the media file systems 122, 132, and the tampering detection means 123, 133 are tamper-resistant (software code obfuscation processing), and access to the concealed area 111. In order to do so, these software (nuclear software) are indispensable.

<Health information reception / analysis side device configuration>
FIG. 3 shows a functional block diagram of the device 2 on the health information receiving / analyzing side. As shown here, the health information reception / analysis side device 2 receives health information from the reception / analysis side media 21 and the health information distribution side device 1, and receives the analysis result to the health information distribution side device 1. Transmission, transmission for receiving other health information analysis results of health information / transmission for requesting reanalysis to the analysis side device 2 or terminal device 3, reception of reanalysis results, etc., and received health information It is provided with a decoder 23 that controls browsing and analysis of the information, and an individual / qualification information authentication means 24 that authenticates when receiving and browsing health information.

The reception / analysis side media 21 can use a recording medium having a concealed area 211 and a normal area 212 as in the distribution side media 11, and the media authentication means 221 is a device authentication means 2111 and media similar to the concealed area 111. Includes file system control information 2112, data encryption key 2113, and tamper detection parameter 2114.

The normal area 212 receives health information from the health information distribution side device 1 and transmits the analysis result of the health information to the health information distribution side device 1, other health information reception / analysis side device 2, terminal device 3, and the like. Send / receive program file 2121 to be performed, decoder program file 2122 to analyze received health information and control browsing, health information passbook / health information 2123 to store health information and information added to it, and analysis results of health information. Includes analysis result information 2124 for storing and the like.

Regarding the information contained in the secret area 211, the transmission / reception program file 2121 and the decoder program file 2122 included in the normal area 212, the distribution side media 11 is used at the time of initial setting of the reception / analysis side media 21 or by a reliable distribution method. It is recorded in.

The transmission / reception unit 22 includes a media file system 122 for mutual authentication between the device and the media with the device authentication means 2111, a media file system 222 for accessing the normal area 212, a media file system 222, and the like. As a manipulation detection means 223 that detects manipulation such as health information passbook / health information 2123 and analysis result information 2124, reception and opening of health information container and analysis information container, and analysis information container of health information analysis result by decoder 23. The transmission / reception program 224 that transmits the information, the concealment level determination means 225 that determines the concealment level set in the health information container and the analysis information container, and the tampering detection parameter concealment distribution that conceals and distributes the tampering detection parameter 2114. Means 226 and.
Have.

In the transmission / reception program 224, the health information reception / analysis side device 2 reads the transmission / reception program file 2121 from the normal area 212 and executes it, and receives the health information container from the health information distribution side device 1 and receives other health information. / Health / analysis information container receiving means 2241 that receives the analysis information container from the analysis side device 2 or the terminal device 3, opening of the received health information container or analysis information container, health information passbook / health information 2123 It includes a health / analysis information container opening means 2242 for recording and an analysis information container transmitting means 2243 for distributing the analysis result of health information by the decoder 23 stored in the analysis result information 2124 as an analysis information container.

The falsification detection parameter concealment distribution means 226 distributes the analysis result of the health information to the health information distribution side device 1 and other health information reception / analysis side devices 2, and then verifies the presence or absence of the falsification. , The falsification detection parameter (hash value, etc.) of the distributed analysis result is provided in a concealed state.

The decoder 23 analyzes and browses / browses health information, a media authentication means 231 that performs mutual authentication between the device and the media with the device authentication means 2111, a media file system 232 for accessing the normal area 212, and health information. It has a decoder program 234 that controls transmission and the like, a health information passbook / health information 2123, analysis result information 2124, and a tampering detection means 233 that detects tampering with the decoder program 234.

In the decoder program 234, the health information receiving / analyzing side device 2 reads the decoder program file 2122 from the normal area 212 and executes it, and browses health information and analysis results, receives health information distribution side device 1, and other health information. / Includes a browsing control means 2341 that controls transmission to the analysis side device 2 and the terminal device 3, and a health information analysis means 2342 that analyzes health information.

In this embodiment, the transmission / reception unit 22 and the decoder 23 have a media authentication means 221, a media authentication means 231, a media file system 222, a media file system 232, a tampering detection means 223, and a tampering detection means 233, respectively. As shown, the configuration may be such that these functions are shared. However, in either case, the media authentication means 221 and 231, the media file system 222, 232, and the tampering detection means 223 and 233 are tamper-resistant (software code obfuscation processing) and access the concealed area 211. In order to do so, these software (nuclear software) are indispensable.

Further, in the present embodiment, as described above, as the output of the analysis result by the health information reception / analysis side device 2, the display on the health information reception / analysis side device 2 by the browsing control means 2341 and the analysis information container transmission. Although the configuration capable of outputting to the health information distribution side device 1, the health information reception / analysis side device 2, and the terminal device 3 by the means 2243 is shown, only one of these is provided as the output means. May be. For example, a configuration for allowing the viewing control means 2341 to only receive health information / display on the analysis side device 2 and allow the user of the health information reception / analysis side device 2 to view the analysis result, or an analysis information container transmission means. Only transmission by 2243 is possible, and the analysis result is returned to the health information distribution side device 1 of the sender of the health information and health information passbook, and reanalyzed to other health information reception / analysis side device 2 and terminal device 3. An example is a configuration in which only a request is made.

Further, although the health information distribution side device 1 and the health information reception / analysis side device 2 have different functions, the present invention is not limited to this. For example, a recording medium containing information stored in the distribution side media 11 and the reception / analysis side media 21 is connected to a terminal device having the functions of an encoder 12, a distribution unit 13, a transmission / reception unit 22, and a decoder 23 for health. A terminal device that can be used as both the information distribution side device 1 and the health information reception / analysis side device 2 may be used.

It is assumed that all the programs such as the encoder program file 1121, the distribution program file 1122, the transmission / reception program file 2121, and the decoder program file 2122 are registered in the management server device 5 in advance. Further, it is assumed that the attribute information (sensor identifier for identifying the sensor 4 and other information about the sensor 4) related to each sensor 4 is also stored in the management server device 5 in advance and can be referred to at the time of analysis.

<Reading the program, detecting tampering>
The encoder program file 1121 and the distribution program file 1122 are read when the health information distribution side device 1 is started. Further, it may be configured to be read when the health information acquisition process is performed periodically or based on the user's instruction. FIG. 4 is a flowchart showing the flow of the reading process of the encoder program file 1121.

First, in step S101, mutual authentication is performed between the health information distribution side device 1 and the distribution side media 11. This is a process executed between the media authentication means 121 and the device authentication means 1111.

Then, if it is determined in step S102 that the authentication process between the device and the media is successful, the process proceeds to step S103, and the encoder program file 1121 is read into the health information distribution side device 1 as the encoder program 124, and is healthy. The information distribution side device 1 is expanded on the memory.

If the authentication fails in step S102, the encoder program 124 in step S103 is not read and the process ends. At this time, the configuration may be such that a message indicating an authentication failure or a log is output.

The same processing is performed for the reading of the distribution program file 1122 by the health information distribution side device 1. Alternatively, the process of reading the encoder program file 1121 and the distribution program file 1122 may not be performed separately, and the process may be such that both the encoder program file 1121 and the distribution program file 1122 are read in step S103 after one authentication process. Further, when the transmission / reception program file 2121 and the decoder program file 2122 are read by the health information reception / analysis side device 2, the same processing is performed by the health information reception / analysis side device 2.

Even after the program is read from the media authentication means 121 (or the media authentication means 221) by the above processing, the detection process for whether or not the program has been tampered with is periodically performed. FIG. 5 is a flowchart showing the flow of the tampering detection process.

First, in step S201, the tampering detection parameter 1114 and the tampering detection parameter 2114 are read. In the present embodiment, the hash values of the encoder program file 1121 and the distribution program file 1122 are used as the tampering detection parameter 1114 for the program, and the hash values of the transmission / reception program file 2121 and the decoder program file 2122 are used as the tampering detection parameter 2114 for the program. , Each of which is included in the information used. Here, the hash value is a value obtained by performing an irreversible calculation process on the original data using a hash function. The hash value of the regular file is calculated and recorded in advance, and in the tampering detection process, the hash value of the file to be detected for tampering is calculated by the same procedure, and it becomes the same as the hash value of the regular file. By determining whether or not the file has been tampered with, it is possible to verify whether or not the file has been tampered with.

After reading the hash value recorded as the tampering detection parameters 1114 and 2114 in step S201, the hash value of the program to be inspected is calculated in step S202. Here, the encoder program file 1121 and the distribution program file 1122 read into the health information distribution side device 1 and the transmission / reception program file 2121 and the decoder program file 2122 read into the health information reception / analysis side device 2 are the inspection target programs. ..

In the following step S203, the hash values are compared. Here, as described above, if the hash values are the same, it can be determined that the program has not been tampered with, but if the hash values are different, there is a suspicion that the program has been tampered with illegally. Therefore, if it is determined in step S204 that the hash values are the same, the tampering detection process ends, but if it is determined in step S204 that the hash values are not the same, the process proceeds to step S205, and the program to be inspected. Reloading process is performed. For this, the process as described above with reference to FIG. 4 may be performed again.

If the hash values are not the same and there is a risk of program tampering, the data acquired from the previous tampering detection process to the present, that is, the program may have been tampered with illegally. It is preferable to perform processing such as discarding or recovering unreliable data.

Here, when falsification of the encoder program 124 is detected, it is preferable to delete the health information and the health information passbook acquired from the previous falsification detection process to the present. Further, since the analysis result performed using the data is also unreliable, it is also applicable to other health information receiving / analyzing side devices 2 and terminal devices 3 that hold such analysis results. , It is more preferable to have a configuration that requests the deletion of data.

On the other hand, when a tampering with a program other than the encoder program 124 is detected, the other health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3, or the management server device 5 or the figure is shown. If the configuration is such that regular backups are taken to other server devices, etc., there is a possibility that those server devices, etc. are not affected by program tampering, that is, highly reliable data exists. .. In such a case, it is preferable to acquire such information and recover the data.

Further, even when the tampering of a program other than the encoder program 124 is detected, the data in which the tampering is detected intervenes in the processing, that is, the health information reception / analysis when the tampering of the distribution program 134 is detected. Health information and health information passbook transmitted to the side device 2 and terminal device 3, and the health information distribution side device 1 and other health when tampering with the transmission / reception program 224 or the decoder program 234 is detected as the analysis result. Data such as analysis results and reanalysis results transmitted to the information reception / analysis side device 2, terminal device 3, etc. are also unreliable, so a configuration that requests deletion of such data. Is more preferable.

In the present embodiment, as described above, the program file read from the distribution side media 11 by the health information distribution side device 1 and the program file read from the reception / analysis side media 21 by the health information reception / analysis side device 2. Is inspected for unauthorized tampering, and if there is a risk of tampering, the program file is reloaded to ensure that health information and analysis results are not tampered with or used. be able to.

<Health information acquisition process>
Subsequently, the process of acquiring the health information from the sensor 4 by the device 1 on the health information distribution side will be described. FIG. 6 is a flowchart showing the flow of the health information acquisition process. First, in step S301, the information owner authentication process is performed by the personal / qualification information authentication means 14. It should be noted that this may be performed by the authentication means possessed by the health information distribution side device 1, for example, inputting a preset password or biometric authentication such as fingerprint authentication or face authentication by the health information distribution side device 1. If the device has the functions to be performed, the device may be configured to use those functions.

If it is determined in step S302 that the user authentication is successful, the process proceeds to step S303, and the sensor authentication means 1241 performs authentication processing of the sensor 4. This is to prevent unauthorized acquisition of health information generated by a person other than the information owner or a target device 1 or sensor 4 on the health information distribution side, and is used at the time of installation or initial registration of the sensor 4. At that time, the sensor-specific identifier to be targeted at the time of registration change is listed by the information owner, and by monitoring the content of unnatural acquired information, it is detected and recorded in the health information passbook 1123, and based on that. Authenticate to.

If it is determined in step S404 that the authentication of the sensor 4 is successful, the process proceeds to step S305, and the health information storage means 1243 performs the process of acquiring the health information from the sensor 4. Additional information is added to the health information acquired here in step S306. Examples of the additional information include the date / time / time record (time stamp) from which the health information was acquired, information on the sensor 4 from which the health information was acquired, and the like. Here, it is preferable that these additional information are given in a form that is difficult to falsify by an electronic certificate, an electronic time certificate, or the like issued by a trusted site.

In step S307, the health information acquired in step S305 and added with additional information in step S306 is recorded in the health information passbook 1123 and the health information 1124. The recording of health information here is sequentially performed as overwrite prohibition.

By the above processing, health information is acquired using the health information distribution side device 1. By authenticating the information owner and the sensor 4 in this way, it is possible to prevent a third party from recording unauthorized health information unintentionally by the information owner. Furthermore, by adding additional information in a form that is difficult to falsify to the health information acquired from the sensor 4 and sequentially recording the information by prohibiting overwriting, the information owner can also improperly falsify the health information. Can be prevented. As a result, the reliability of the health information recorded by the health information distribution side device 1 can be made very high.

Note that FIG. 6 illustrates a process of immediately ending the process when it is determined in step S302 that the user authentication has failed or when the sensor 4 authentication has failed in step S304. Arbitrary processing such as processing for requesting authentication or processing for displaying a warning message may be added.

<Distribution processing of health information>
The health information acquired from the sensor 4 by the encoder 12 and recorded on the distribution side media 11 and the health information passbook which is additional information thereof can be distributed to the health information reception / analysis side device 2 and the terminal device 3. .. FIG. 7 is a flowchart showing the flow of the distribution process of health information.

First, in step S401, the information owner is authenticated. This may be the same process as in step S301 in the health information acquisition process described with reference to FIG. Then, when it is determined in step S403 that the user authentication is successful, the distribution process of steps S403 to S405 is performed.

In step S403, the information owner specifies the information to be distributed in the health information passbook 1123 and the health information 1124, the distribution destination, and the confidentiality level used for distribution. The designation of the information to be distributed here may be accepted by any method, for example, information acquired from a specific sensor 4, information acquired in a specific period, or the like. For the delivery destination, specify the method of specifying the health information reception / analysis side device 2 or terminal device 3 directly connected by wire or wireless, or specify the URL (Uniform Resource Locator) if connected via the network NW. The specification may be accepted by any method such as the method of performing. Alternatively, a configuration may be adopted in which the health information receiving / analyzing side device 2 or the terminal device 3 connected by a predetermined method such as a wired connection is automatically selected as the delivery destination. The confidentiality level accepts the selection of any of the four classes 0 to 3 as shown in Table 1 above. Alternatively, the confidentiality level used for distribution may be predetermined for the information to be distributed, the health information reception / analysis side device 2 of the distribution destination, and the terminal device 3.

In the following step S404, the health information container is generated based on the designation received from the information owner in step S403. The health information container here is a container for distributing health information and information to be distributed in the health information passbook at a confidentiality level specified by the information owner. It may be a single file or it may be in the form of a collection of multiple files.

When transmitting the health information container or analysis information container to the terminal device 3 that does not have a secure recording medium such as the reception / analysis side media 21, the confidentiality level is set to class 0, or the confidentiality level is set to class 0. Processing such as omitting the setting of the confidentiality level itself when creating the health information container may be performed.

Then, in step S405, the health information container is transmitted to the delivery destination, and the health information delivery process is completed. In addition to accepting the user authentication in step S401 and various designations in step S403 from the information owner as described here, the health information distribution process is performed by periodically setting the distribution of health information in advance. The user authentication in step S401 may be omitted and the user authentication may be automatically executed periodically.

Further, along with the distribution of the health information container in step S405, the tampering detection parameter concealment distribution means 136 may be configured to distribute the health information included in the health information container and the tampering detection parameter of the health information passbook. ..

<Reception / analysis processing of health information>
Next, the reception process of the health information container distributed from the health information distribution side device 1 by the health information reception / analysis side device 2 will be described. Since the same processing is performed when the analysis information container which is the analysis result of the health information container is received from the other health information receiving / analysis side device 2 or the terminal device 3, it will be described together. FIG. 8 is a flowchart showing the flow of reception processing of the health information container and the analysis information container by the health information reception / analysis side device 2.

After receiving the health information container and the analysis information container in step S501, the confidentiality level is determined in step S502. This is executed by assigning information to the health information container or the analysis information container in advance so that the confidentiality level can be determined without opening the container, and reading the information.

Then, according to the confidentiality level determined in step S502, the health information container and the analysis information container are opened in step S503. This is different processing depending on the confidentiality level. For example, if the data is class 0, it is only necessary to expand the container, but if the confidentiality level of class 1 or higher is set, the combined processing of the encrypted data is performed. Is included. Further, if the data is of class 2 or higher, the process of acquiring additional information such as copying restrictions and expiration dates set for the data is also included.

In step S504, the health information and health information passbook obtained by opening the health information container and the analysis result information obtained by opening the analysis information container are recorded in the health information passbook / health information 2123, and the reception process is completed. do.

It should be noted that the reception process as described above may be configured to be executed periodically, configured to be executed when instructed by a user who uses the health information receiving / analyzing side device 2 or the terminal device 3, or health. It should be executed at any timing, such as the distribution of health information from the information distribution side device 1 and the configuration to be performed each time the analysis information container is distributed from another health information reception / analysis side device 2 or terminal device 3. It may be configured as such.

Further, as described above, when the falsification detection parameter is transmitted from the health information distribution side device 1 from the falsification detection parameter concealment distribution means 136 with the distribution of the health information container, it is healthy. The information reception / analysis side device 2 may receive the information and verify whether or not the data has been tampered with after the opening process in step S503.

<Health information analysis / analysis information reanalysis processing>
FIG. 9 shows the analysis processing of the health information received from the health information distribution side device 1 in the health information reception / analysis side device 2, and the analysis information received from other health information reception / analysis side devices 2 and the terminal device 3. It is a flowchart which shows the flow of the reanalysis process of. First, in step S601, the health information and the health passbook information are read out from the health information passbook / health information 2123.

Then, in step S602, the health information analysis means 2342 analyzes the health information and re-analyzes the analysis information, and in step S603, the result is temporarily recorded in the analysis result information 2124. Here, the sensor identifier included in the health passbook information read in step S601 is used to acquire information about the sensor 4 for which health information has been acquired from the management server device 5, and analysis or the like is performed based on the information. This analysis is, for example, behavior information such as daytime activity amount and position information sent in a health information container, environmental information such as pollen, air pollution, pressure and temperature during movement, and biological information such as stress and blood pressure fluctuation. By visualizing the mutual relationship of information such as, by analyzing AI and the like, it is possible to obtain results that can be used for pre-illness measures, treatment, product development using big data, and the like.

In addition, the analysis result may not be temporary, but may be configured to continue to retain (within the range allowed by the confidentiality level set in the health information), or only the history information that the analysis was performed may be retained. It may be configured as such. With such a configuration, verification by the information owner of the distribution source of health information can be facilitated.

After that, in step S604, the analysis information container transmitting means 2243 transmits the analysis result temporarily recorded in the analysis result information 2124. If the destination is the analysis result of the health information received from the health information distribution side device 1, the transmission destination is the health information distribution side device 1 which is the transmission source, and the analysis result is further received / received by another health information /. When the analysis side device 2 or the terminal device 3 analyzes or stores the information, the confidentiality level may be set and the information may be transmitted to those devices. Further, the configuration may be such that the user can specify an arbitrary destination.

When transmitting the health information container or analysis information container to the terminal device 3 that does not have a secure recording medium such as the reception / analysis side media 21, the confidentiality level is set to class 0, or the confidentiality level is set to class 0. It suffices to perform processing such as omitting the confidentiality level setting itself and sending.

Here, the tampering detection parameter concealment distribution means 226 may transmit the tampering detection parameter of the analysis result along with the transmission of the analysis information container in step S604.

Although the process of transmitting the analysis result of the health information to the health information distribution side device 1, the other health information reception / analysis side device 2, and the terminal device 3 has been described here, the health information is transmitted by the browsing control means 2341. It is also configured so that it can be viewed by a user who uses the receiving / analyzing device 2. Here, in both transmission to another device by the analysis information container transmission means 2243 and browsing by the user using the browsing control means 2341, according to the confidentiality level specified in the original health information container (or analysis information container). Processing is done. That is, if the confidentiality level of the original health information container and analysis information container is set to class 2 or higher, and data copying restrictions and expiration date settings are given, viewing restrictions and validity are set accordingly. Expired data is deleted, etc.

<File recording / reading processing by the media file system>
Distribution in steps S307 in the health information acquisition process, step S404 in the health information distribution process, step S504 in the health information and analysis information reception process, steps S601 and S603 in the health information analysis and analysis information reanalysis process, and the like. When reading / writing data to / from the normal area 112 of the side media 11 or the normal area 212 of the transmission / reception unit 22, the media file systems 122, 132, 222, 232 perform processing for making it difficult to tamper with. Will be.

FIG. 10A is a flowchart showing the flow of data recording processing by the media file systems 122, 132, 222, 232. When recording the data, first, in step S701, the hash value of the data to be recorded is calculated. This is a data tampering detection parameter used for detecting data tampering.

Then, in step S702, the data to be recorded is encrypted using the data encryption keys 1113 and 2113, and in step S703, the hash value calculated in step S701 is recorded in the concealed areas 111 and 211, and the step. The encrypted data in S702 is recorded in the normal areas 112 and 212. It should be noted that the recording of the data here is sequentially performed without overwriting.

The data recorded in the normal areas 112 and 212 in this way is read out in the flow as shown in FIG. 10 (b). First, in step S801, the encrypted data is decrypted. For this, the data encryption keys 1113 and 2113 are used.

Then, in step S802, the hash value of the decoded data is calculated, and in step S803, the calculated hash value is compared with the hash value recorded in the concealed areas 111 and 211. Here, if the hash values do not match, that is, there is a high possibility that the data has been tampered with. Therefore, if it is determined in step S804 that the hash values do not match, the process proceeds to step S805 to delete or recover the data.

The data recovery here means, for example, backing up to the management server device 5 or another server device (not shown) in advance and acquiring the data at the time of recording the data or by periodic processing. It can be done by the method.

Further, when falsification of data is detected, it is preferable that the data existing on another terminal and the analysis result thereof are also configured to perform falsification detection processing.

In this way, by reading and writing data that combines encryption and falsification detection based on hash values, it is possible to securely store the data and prevent unauthorized falsification. Further, it is preferable to have a configuration in which data tampering detection processing is performed by the processing as shown in FIG. 10B by processing based on the user's instruction or periodic processing.

In this embodiment, the program, health information, health information passbook, analysis information, etc. executed by the health information distribution side device 1 and the health information reception / analysis side device 2 are distributed to the distribution side media 11, the reception / analysis side media, and the like. Although the configuration to be stored in 21 is shown, the present invention is not limited to this. For example, links such as URLs and paths for accessing each information are securely stored in the distribution side media 11 and the reception / analysis side media 21, and by using them, the above-mentioned information can be accessed as a result. If so, it does not necessarily have to be stored in the distribution side media 11 or the reception / analysis side media 21. With such a configuration, even when the storage capacity of the distribution side media 11 is limited, a server device capable of communicating via the network NW, a health information distribution side device 1, and a health information reception / analysis side device A lot of information can be stored in the storage unit provided in 2.

As described above, the information owner decides the handling of information by setting the confidentiality level, and the information owner himself / herself by preventing the program that handles health information and analysis information and the falsification of health information and analysis information itself. It is possible to grasp the information of the information, decide the utilization policy and the distribution destination of the information to be utilized, and further expire or delete the distributed information.

As a result, it is difficult for the information owner who generated the information to grasp the whereabouts of the information once absorbed in the cloud after processing, as the information is sucked up without knowing it like the conventional cloud-based data utilization. It is possible to solve the problem that there is a risk of unauthorized falsification because the protection against falsification of information is entrusted to each business operator who utilizes the information. Then, without depending on a specific cloud server, the configuration is based on P2P communication using devices such as smartphones, which are widely used for personal-led information utilization, and media such as secure SD cards. It is possible to easily and flexibly realize highly reliable health information acquisition, storage, distribution, and processing without major investment or modification of infrastructure.

(Embodiment 2)
Hereinafter, Embodiment 2 of the present invention will be described in detail with reference to the drawings. The components that are basically the same as those in the first embodiment are designated by the same reference numerals to simplify the description. Also in the system using the information management terminal device according to the present embodiment, as described with reference to FIG. 1 in the first embodiment, the health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3, It includes a sensor 4 and a management server device 5. However, in the present embodiment, as the distribution side media 11 and the reception / analysis side media 21, a more general recording medium is used instead of the security-enhanced recording medium as described in the first embodiment. The difference is that the management server device 5 not only stores information about the sensor 4, but also has each information included in the concealed area 111.

<Health information distribution side device configuration>
FIG. 11 shows a functional block diagram of the health information distribution side device 1 according to the present embodiment. As shown here, the health information distribution side device 1 according to the present embodiment includes the same encoder 12, distribution unit 13, and personal / qualification information authentication means 14 as in the first embodiment. The distribution side media 11 is different from the first embodiment in that the distribution side media 11 includes the normal area 112 and the media identifier 113, and also includes the confidential information temporary storage unit 15. That is, the present embodiment has the normal area 112 (and the media identifier 113), but has the secret area 111, instead of the recording medium having the secret area 111 and the normal area 112 as in the SeeQVault exemplified in the first embodiment. It shows the configuration when a more general recording medium is used, which does not.

As will be described later, the secret information temporary storage unit 15 is an area for storing information to be included in the secret area 111 received from the management server device 5, and is volatile or non-volatile included in the health information distribution side device 1. This is an area secured in advance on the memory of the server or when receiving processing of information to be included in the secret area 111 from the management server device 5. Alternatively, the configuration may be such that an area used as the secret information temporary storage unit 15 is secured in the normal area 112 included in the distribution side media 11.

The media identifier 113 is a unique identifier included in each distribution-side media 11 that cannot be rewritten by the user. For example, an SD card has an area called a CID (card identification) register, which includes a serial number and cannot be rewritten by the user. Therefore, when an SD card is used as the distribution side media 11, it is used. It can be used as the media identifier 113.

Further, also in the present embodiment, each information contained in the normal area 112 can be transferred to a server device capable of communicating via the network NW, a storage unit provided in the health information distribution side device 1, or the like instead of the entity thereof. It may be configured to be held in the form of a link.

<Health information reception / analysis side device configuration>
FIG. 12 shows a functional block diagram of the health information receiving / analyzing side device 2 according to the present embodiment. As shown here, the health information receiving / analyzing side device 2 according to the present embodiment includes the same transmitting / receiving unit 22, the decoder 23, and the personal / qualification information authentication means 24 as in the first embodiment. The reception / analysis side media 21 is different from the first embodiment in that the normal area 212 and the media identifier 213 are provided, and the secret information temporary storage unit 25 is provided. That is, like the health information distribution side device 1 in the present embodiment, this is not a recording medium having a secret area 211 and a normal area 212 as in the SeeQVault exemplified in the first embodiment, but a normal area 212 (and a media identifier 213). ), But does not have a concealed area 211, and shows a configuration in the case of using a more general recording medium.

Like the secret information temporary storage unit 15, the secret information temporary storage unit 25 is placed on the health information reception / analysis side device 2 or on the normal area 212 of the reception / analysis side media 21 in advance or from the management server device 5. This is an area secured during the reception process of the secret area 211.

Similar to the media identifier 113, the media identifier 213 uses the value included in the CID register when the SD card is used as the reception / analysis side media 21, and the recording media used as the reception / analysis side media 21. A unique identifier can be used.

Further, also in the present embodiment, a server device capable of communicating each information included in the normal area 212 via the network NW instead of the substance thereof, a storage unit provided in the health information receiving / analyzing side device 2, and the like. It may be configured to be held in the form of a link to. With such a configuration, a large amount of information can be stored even when the storage capacity of the receiving / analyzing side media 21 is limited.

<Reception of confidential information, reading of programs, detection of tampering>
In the present embodiment, when the health information distribution side device 1 is started, or when the encoder program file 1121 and the distribution program file 1122 are read by periodic processing or processing according to a user's instruction, the management server device 5 is used. The secret area 111 of the above is received. FIG. 13 is a flowchart showing the flow of reception of the concealed area 111 and reading processing of the encoder program file 1121 and the distribution program file 1122. That is, it can be said that this corresponds to the process described with reference to FIG. 4 in the first embodiment.

First, in step S901, an authentication process is performed between the health information distribution side device 1 and the management server device 5. This is done by the media authentication means 121, 221 acquiring the media identifier 113 from the distribution side media 11 and transmitting it to the management server device 5.

If it is determined in step S902 that the authentication process is successful, the process proceeds to step S903, and the management server device 5 downloads the information to be included in the secret area 111. This is stored in the management server device 5 in a state in which the media identifier 113 and the information to be included in the corresponding concealed area 111 are associated with each other in advance, and the concealment corresponding to the media identifier 113 received by the management server device 5 in step S901. The information to be included in the area 111 may be transmitted from the management server device 5 to the health information distribution side device 1 in step S903.

In step S903, the secret area 111 is recorded in the secret information temporary storage unit 15. Here, if the area used as the secret information temporary storage unit 15 is not secured in advance, the process of securing the area is performed first. Here, as in the case where the secret area 111 is included in the distribution side media 11 in the first embodiment, mutual authentication between the device and the media is established between the device authentication means 1111 and the media authentication means 121 and 131. It can only be accessed if.

After that, in step S904, the encoder program file 1121 is read as the encoder program 124 and the distribution program file 1122 is read as the decoder program 234 in the same manner as in the process performed in step S103 of FIG. 4 in the first embodiment.

As described above, the preparation of the secret area 111, the encoder program 124, and the distribution program 134 on the health information distribution side device 1 is completed. Further, when reading the secret area 211, the transmission / reception program file 2121, and the decoder program file 2122 on the health information reception / analysis side device 2, the same processing is performed by the health information reception / analysis side device 2.

In this way, the authentication process using the media identifiers 113 and 213 is performed, and the information included in the secret area 111 and the secret area 211 is downloaded from the management server device 5, so that the special area has the secret area and the normal area. The health information distribution side device 1 and the health information reception / analysis side device 2 according to the present invention can be realized by using a normal SD card or the like without using a recording medium.

In the present embodiment, in step S901, the configuration in which the media identifier 113 and the media identifier 213 are transmitted to the management server device 5 to perform the authentication process between the device and the server is shown. The device-specific identifiers of the distribution-side device 1 and the health information reception / analysis-side device 2 (for example, the MAC address of the communication unit of the device, the serial number of the device, etc.) are also transmitted, and the management server device 5 communicates with the device. The correspondence with the recording medium may be stored in advance and confirmed in the authentication process. With such a configuration, the health information distribution side device 1 and the health information reception / analysis side device 2 according to the present embodiment can be realized only when the device and the recording medium registered in advance are used. It can make fraudulent activities such as falsification more difficult.

After the processing as described above completes the download and recording of the concealed areas 111 and 211 to the health information distribution side device 1 and the health information reception / analysis side device 2, and the reading process of each program to the device, the embodiment is performed. As described in FIG. 1, the program tampering detection process by the process shown in FIG. 5, the health information acquisition process by the health information distribution side device 1 as shown in FIG. 6, and the health information acquisition process from the sensor 4 as shown in FIG. 7 are shown in FIG. Health information reception / analysis by the health information distribution side device 1 as shown, health information distribution processing to the analysis side device 2 and terminal device 3, and health information reception / analysis side device 2 as shown in FIG. Analysis processing etc. are performed.

Further, the writing / reading processing of the health information and the health information passbook in the health information distribution side device 1 and the health information reception / analysis side device 2 is performed in the same manner as the processing in the first embodiment as shown in FIG. .. However, here, the information in the secret areas 111 and 211 is updated, such as the update of the media file system control information 1112 and 2112 accompanying the writing of data, and the writing of the hash value to the hidden areas 111 and 211 for tampering detection. After that, uploading to the management server device 5 is performed sequentially or periodically, and the data is included in the secret areas 111 and 211 stored in association with the media identifiers 113 and 213 on the management server device 5. Information is updated.

In the present specification, in the first embodiment, the health information distribution side device 1 and the health information reception / analysis side device 2 are realized by using a secure recording medium, and in the second embodiment, a more general recording medium. Although the configuration for realizing the health information distribution side device 1 and the health information reception / analysis side device 2 is shown using the above, the health information distribution side device 1 shown in the first embodiment and the health information reception / analysis shown in the second embodiment are shown. The analysis side device 2, the health information distribution side device 1 shown in the second embodiment, the health information reception / analysis side device 2 shown in the first embodiment, and the health information reception / analysis side device 2 shown in the first embodiment and the embodiment. The health information distribution side device 1 and the health information reception / analysis side device 2 as shown in the respective embodiments, such as the health information reception / analysis side device 2 shown in 2, mutually provide health information. It may be configured so that analysis information can be exchanged.

(Embodiment 3)
Hereinafter, Embodiment 3 of the present invention will be described in detail with reference to the drawings. The components that are basically the same as those in the first embodiment are designated by the same reference numerals to simplify the description. Also in the system using the information management terminal device according to the present embodiment, as described with reference to FIG. 1 in the first embodiment, the health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3, It includes a sensor 4 and a management server device 5. Then, as described in the first embodiment, the health information acquisition process from the sensor 4 by the health information distribution side device 1 as shown in FIG. 6, and the health by the health information distribution side device 1 as shown in FIG. Information reception / analysis processing of distributing health information to the device 2 and terminal device 3 and processing of analysis of health information by the health information reception / analysis side device 2 as shown in FIG. 8 are performed.

However, in the system using the information management terminal device according to the present embodiment, the processes related to data recording and reading and the processes related to program tampering detection are different from those shown in the first embodiment.

<Health information distribution side device configuration>
FIG. 14 shows a functional block diagram of the health information distribution side device 1 according to the present embodiment. As shown here, the health information distribution side device 1 according to the present embodiment is a distribution side media 11 and an encoder which are recording media having a secret area 111 such as SeeQVault and a normal area 112, as in the first embodiment. 12, distribution unit 13, personal / credential information authentication means 14 are provided.

In the first embodiment, the hash value of the data to be inspected or the program is stored in the concealed area 111 as a tampering detection parameter. On the other hand, in the present embodiment, the secret area 111 has a signature key 1115 as a tampering detection parameter, and the normal area 112 has a health information passbook 1123 and an electronic signature 1125 of health information 1124.

In the present embodiment, the hash value itself of the data to be detected for tampering and the program is stored in the normal area 112. Then, the signature key 1115 for encrypting these hash values and generating an electronic signature is held in the secret area 111 as a tampering detection parameter. In this embodiment, in order to use public key cryptography, a case where a pair of a private key and a public key is held as a signing key 1115 and the public key is used as a signing key is illustrated. Alternatively, only the private key may be held as the signature key 1115, and the public key paired with the private key may be configured to be available from an external server or the like (not shown) as needed.

Further, the data may be encrypted by using a common key encryption method and holding the common key as the data encryption key 1113, and the data may be encrypted by using the public key encryption method. The key 1113 may be configured to hold a pair of a private key and a public key. Alternatively, only the private key may be held as the data encryption key 1113, and the public key paired with the private key may be configured to be available from an external server or the like (not shown) as needed.

Further, also in the present embodiment, each information contained in the normal area 112 can be transferred to a server device capable of communicating via the network NW, a storage unit provided in the health information distribution side device 1, or the like instead of the entity thereof. It may be configured to be held in the form of a link.

<Health information reception / analysis side device configuration>
FIG. 15 shows a functional block diagram of the health information receiving / analyzing side device 2 according to the present embodiment. As shown here, the health information receiving / analyzing side device 2 according to the present embodiment is a distribution side media 11 which is a recording medium having a secret area 111 such as SeeQVault and a normal area 112, as in the first embodiment. , The transmission / reception unit 22, the decoder 23, and the personal / credential information authentication means 24.

Then, similarly to the health information distribution side device 1 according to the present embodiment described above with reference to FIG. 14, the signature key 2115 is set in the concealed area 211 as a tampering detection parameter, and the health information passbook / health is set in the normal area 112. It has an electronic signature 2125 of information 2123 and analysis result information 2124, respectively.

As for the signing key 2115 here, the pair of the private key and the public key is held as the signing key 2115 as in the signing key 1115 in the health information distribution side device 1 described above, and the public key among them is held. Is used as a signing key. Alternatively, only the private key may be held as the signing key 2115, and the public key paired with the private key may be configured to be available from an external server or the like (not shown) as needed.

As for the data encryption key 2113 here, the common key encryption method is used for data encryption as in the data encryption key 1113 in the health information distribution side device 1 described above, and the common key is used as the data encryption key 2113. It may be configured to be retained, or as a public key encryption method is used for data encryption, the private key / public key pair used for data encryption, or only the private key is retained as the data encryption key 2113. It may be configured to do so.

Further, also in the present embodiment, a server device capable of communicating each information included in the normal area 212 via the network NW instead of the substance thereof, a storage unit provided in the health information receiving / analyzing side device 2, and the like. It may be configured to be held in the form of a link to. With such a configuration, a large amount of information can be stored even when the storage capacity of the receiving / analyzing side media 21 is limited.

<File recording / reading processing by the media file system>
In the health information distribution side device 1 and the health information reception / analysis side device 2 according to the present embodiment, data is read / written using the signature keys 1115 and 2115 as tampering detection parameters. FIG. 16A is a flowchart showing a data recording process according to the present embodiment.

First, in step S1001, the data is encrypted with the data encryption key 1113. Then, the encrypted data obtained thereby is recorded in the normal area 112 or 212 in step S1002.

Then, in the following step S1003, the hash value of the encrypted data is calculated. Here, processing using an arbitrary predetermined hash function may be performed. The hash value of the data calculated in step S1003 is encrypted with the public key of the signature key 1115 or the signature key 2115 in step S1004. That is, this is a process of assigning a digital signature to the encrypted data using the signature keys 1115 and 2115.

Finally, in step S1005, the electronic signature is recorded in the normal area 112 or 212, and the data recording process is completed.

In this way, the secret area 111, 211 is configured to hold the signature key for encrypting the hash value and generating the electronic signature as a tampering detection parameter in the secret area 111, 211 instead of the hash value itself. Even when the amount of data that can be recorded is limited to a small amount, the data can be accumulated in a form in which the tampering detection process can be performed later.

Subsequently, the data reading process in the present embodiment will be described with reference to FIG. 16 (b). First, in step S1101, the hash value of the encrypted data to be read is calculated.

Then, in the following step S1102, the electronic signature attached to the encrypted data is decrypted. Here, as described above, in the present embodiment, a case where a public key cryptosystem is used and a public key among a private key / public key pair is used as a signing key is illustrated. Therefore, for decrypting the electronic signature here, a private key paired with the public key used for creating the electronic signature in step S1004 in the data recording process is used.

In step S1103, the hash value calculated from the encrypted data in step S1101 is compared with the hash value obtained by decrypting the electronic signature in step S1102. Here, when it is determined that these hash values are the same, it is determined that the data has not been tampered with, and the process proceeds from step S1104 to step S1105 to decode the data.

Here, if a common key method is used for data encryption, decryption may be performed using the same key as the key used when the data was encrypted. Alternatively, if the public key method is used for data encryption, decryption may be performed using the private key (or public key) which is a pair of the public key (or private key) used for data encryption.

On the other hand, if it is determined that the hash values do not match as a result of comparing the hash values in step S1103, there is a risk of falsification of the data. Therefore, the process proceeds from step S1104 to step S1106 to perform processing such as data deletion and recovery. The data recovery here may be performed by any method, for example, backing up the data to a predetermined server in advance and acquiring the data. Further, the data may be recovered first, and if the data is unsuccessful, only the data may be deleted.

By recording and reading the data as described above, the signature keys 1115 and 2115 can be used as the falsification detection parameter, and the data can be handled in a state where the falsification can be detected.

<Program tampering detection processing>
Next, the tampering detection process of the program in the present embodiment will be described with reference to the flowchart shown in FIG. This shows the flow of tampering detection processing of the encoder program file 1121 and the distribution program file 1122 in the health information distribution side device 1, the transmission / reception program file 2121 and the decoder program file 2122 in the health information reception / analysis side device 2.

First, in step S1201, the hash value of the program to be inspected is calculated. Then, in step S1202, the electronic signature of the program to be inspected is acquired. Here, the electronic signature may be previously recorded in the normal areas 112 and 212 together with the program, or may be appropriately received from an external server or the like when the program is tampered with. May be good. In the electronic signature acquired here, the hash value calculated from the legitimate program is encrypted by the public key of the signature key 1115 or the signature key 1115.

Then, the electronic signature is decrypted in step S1203. For decryption here, the private key of the signature key 1115 or the signature key 1115 is used. As a result, the hash value of the program to be inspected can be obtained.

In step S1204, the hash value calculated from the program to be inspected in step S1201 is compared with the hash value obtained by decoding the electronic signature in step S1203. Here, when it is determined that these hash values are the same, it is determined that the program has not been tampered with, and the process ends from step S1205.

On the other hand, if it is determined that the hash values do not match as a result of comparing the hash values in step S1204, there is a risk of falsification of the program. Therefore, the process proceeds from step S1205 to step S1206 to reload the program to be inspected. The program reloading process in step S1206 may be performed by the same process as that described with reference to FIG. 4 in the first embodiment.

<Data exchange between devices>
It is preferable that the data encryption keys 1113 and 2113 and the signing keys 1115 and 2115 in the information management terminal device according to the present embodiment are configured to be different for each device. In such a configuration, more secure information can be exchanged between devices by exchanging a data encryption key and a signature key by using the tampering detection parameter concealment distribution means 136,226. ..

Here, a procedure for exchanging data between devices using a public key cryptosystem for data encryption will be described. FIG. 18 shows, as an example, the flow of processing when data is transmitted from the health information distribution side device 1 to the health information reception / analysis side device 2a. Here, an example of adopting a public key cryptosystem for data encryption is shown.

First, in step S1301, the signing public key and data encryption key 2113 included in the signing key 2115 held by the health information receiving / analyzing device 2a from the health information receiving / analyzing device 2a to the health information distribution side device 1 The public key for data encryption included in the above is transmitted to the device 1 on the health information distribution side. This may be started as a process of requesting data transmission from the health information receiving / analysis side device 2a to the health information distribution side device 1, or the health information receiving / analysis side from the health information distribution side device 1. The device 2a may be requested to accept the data and may be started as a response to the request.

In the following step S1302, the health information distribution side device 1 performs data encryption processing using the data encryption public key received in step S1301. Then, in step S1303, a transmission signature is created for the encrypted data using the signature public key received in step S1301. That is, as described above with reference to steps S1003 to S1004 of FIG. 16A, this is a process of generating a hash value of encrypted data and encrypting it with a signing public key.

Then, in step S1304, the data encrypted in step S1302 and the electronic signature created in step S1303 are transmitted from the health information distribution side device 1 to the health information reception / analysis side device 2a.

The health information receiving / analyzing side device 2a that has received the encrypted data and the electronic signature for the encrypted data decrypts them. First, in step S1305, the electronic signature is verified. That is, as described above with reference to steps S1101 to S1103 of FIG. 16B, the hash value of the encrypted data is calculated and the digital signature using the private key for digital signature held by the user is used. It is a process of decoding and comparing the hash values obtained by those processes. Then, when it is determined by the verification of the electronic signature that the data has not been tampered with, in step S1306, the data is decrypted using the data encryption private key held by the user.

In this way, the public key used for signing and data encryption is transmitted from the device that receives the data to the device that sends the data, and the encrypted data is generated and digitally signed using the public key. By configuring the process for creating data, data verification and decryption can be performed only on the device on the receiving side that holds the private key paired with those public keys.

If a common key encryption method is used for data encryption, the data encryption key 2113 held by the health information reception / analysis side device 2a is transmitted to the health information distribution side device 1 in step S1301. The process may be such that the data encryption key 2113 is used for the encryption in step S1302 and the decryption in step S1306.

Here, an example of a process of transmitting data from the health information distribution side device 1 to the health information reception / analysis side device 2a has been shown. And when the result is transmitted to the health information distribution side device 1, the data transmission side and the reception side may be exchanged and the same processing may be performed.

As described above, according to the system using the information management terminal device according to the present embodiment, the signature key 1115, 2115 is held as a tampering detection parameter in the concealed area, and the electronic signature created by using the signature key 1115, 2115 is used. By configuring the data or program tampering detection process, the recording medium whose capacity of the concealed area is limited can also be used as the distribution side media 11 or the reception / analysis side media.

In addition, data is configured by preparing a different signing key and data encryption key for each device, and by performing a process of transmitting the public key from the receiving device to the transmitting device in advance when sending and receiving data. Data can be sent and received more safely in a state where verification and decryption are possible only with the device on the receiving side.

1 Health information distribution side device 11 Distribution side media 111 Confidential area 1111 Device authentication means 1112 Media file System control information 1113 Data encryption key 1114 Manipulation detection parameter 1115 Signing key 112 Normal area 1121 Encoder program file 1122 Distribution program file 1123 Health information passbook 1124 Health information 1125 Electronic signature 113 Media identifier 12 Encoder 121 Media authentication means 122 Media file system 123 Manipulation detection means 124 Manipulation detection means 124 Encoder program 1241 Sensor authentication means 1242 Health information acquisition means 1243 Health information storage means 13 Distribution unit 131 Media authentication means 132 Media file System 133 Manipulation detection means 134 Distribution program 1341 Health information container generation means 1342 Health information container distribution means 135 Information distribution destination / concealment level designation input reception means 136 Manipulation detection parameter concealment distribution means 14 Personal / credential information authentication means 15 Confidential information temporary Storage unit 2 Health information reception / analysis side device 21 Reception / analysis side media 211 Confidential area 2111 Device authentication means 2112 Media file system control information 2113 Data encryption key 2114 Manipulation detection parameter 2115 Signing key 212 Normal area 2121 Transmission / reception program file 2122 Decoder Program file 2123 Health information passbook / Health information 2124 Analysis result information 2125 Electronic signature 213 Media identifier 22 Transmission / reception unit 221 Media authentication means 222 Media file system 223 Manipulation detection means 224 Transmission / reception program 2241 Health / analysis information container Receiving means 2242 Health / analysis information Container opening means 2243 Analysis information container transmission means 225 Concealment level determination means 226 Manipulation detection parameter Concealment distribution means 23 Decoder 231 Media authentication means 232 Media file system 233 Manipulation detection means 234 Decoder program 2341 Browsing control means 2342 Health information analysis means 24 Individual -Credential authentication means 25 Confidential information temporary storage 3 Terminal device 4 Sensor 5 Management server device NW network

Claims (10)

An information acquisition means for acquiring the first information to be managed, an information storage means for accumulating the first information and a second information which is additional information to the first information, and a storage medium. It is an information management terminal device that is provided.
The storage medium has a secret area that can be accessed only by a specific program including a program that operates the information management terminal device as the information storage means, and a normal area that can be accessed by programs other than the specific program.
The information storage means sequentially stores the first information or the link that can refer to the first information and the link that can refer to the second information or the second information in the normal region. And
The concealed area holds a data tampering detection parameter for detecting tampering with the first information and / or the second information.
Further provided with a distribution means for selecting and outputting distribution target information from the first information and the second information accumulated by the information storage means.
An information management terminal device, wherein the second information includes at least one of an output history by the distribution means and information specifying an output destination by the distribution means. The data tampering detection parameter uses the first information and / or the second information to generate information for detecting the presence or absence of tampering with the first information and / or the second information. The information management terminal device according to claim 1, wherein the information management terminal device is a key. The concealed area includes a program tampering detection parameter for detecting tampering with the specific program.
The information management terminal device according to claim 1 or 2, further comprising a program tampering detection means that performs tampering detection processing of the specific program using the program tampering detection parameter. The program tampering detection means periodically performs tampering detection processing of the specific program,
When the falsification of the specific program is detected, the first information and the second information accumulated from the time when the previous falsification detection process of the specific program is executed to the time when the falsification of the program is detected. The information management terminal device according to claim 3, wherein the information management terminal device is deleted or restored. A data tampering detection means for performing tampering detection processing of the first information and / or the second information using the data tampering detection parameter is provided.
When the data tampering detecting means detects falsification of the first information and / or the second information, the time when the previous falsification detection process of the first information and / or the second information is executed. The first information and / or the second information accumulated up to the time when the falsification of the second information is detected is deleted or recovered from the first information and / or the second information. The information management terminal device according to any one of 1 to 4. The distribution means includes a concealment level setting means for setting a concealment level of the selected distribution target information, and a means for adding the concealment level as additional information to the distribution target information and outputting the concealment level. , The information management terminal device according to any one of claims 1 to 5. The confidentiality level is
Class 0, which transmits the distribution target information without encryption, and
Class 1 to be transmitted with the distribution target information encrypted, and
Class 2 that encrypts the distribution target information, prohibits duplication at the output destination, sets the expiration date of the distribution target information, and transmits the information.
Class 3 that encrypts the distribution target information, prohibits duplication at the output destination, restricts the handling of processing result information caused by arbitrary processing on the distribution target information, sets an expiration date of the distribution target information, and transmits the class 3. The information management terminal device according to claim 6, wherein the information management terminal device comprises. The information management terminal device according to claim 6, wherein the second information further includes the confidentiality level. The information management terminal device according to any one of claims 1 to 8, further comprising an individual / qualification information authentication means for authenticating the acquisition and distribution of the first information. The information management terminal device according to any one of claims 1 to 9, wherein the first information is information on the health of a thing, and is device state information, device operation information, or environmental information. ..

Images